From b8b1e31419035e62c01dcd301a5909239ae441f0 Mon Sep 17 00:00:00 2001 From: markt Date: Mon, 9 Feb 2009 20:13:14 +0000 Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=39396 Exclude TRACE in OPTIONS response by default. Include it where we know it is enabled. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@742714 13f79535-47bb-0310-9956-ffa450edef68 --- .../apache/catalina/connector/RequestFacade.java | 3 ++ .../apache/catalina/servlets/DefaultServlet.java | 47 +++++++++++++++++++++- 2 files changed, 48 insertions(+), 2 deletions(-) diff --git a/java/org/apache/catalina/connector/RequestFacade.java b/java/org/apache/catalina/connector/RequestFacade.java index 8f4383f90..2f929fb89 100644 --- a/java/org/apache/catalina/connector/RequestFacade.java +++ b/java/org/apache/catalina/connector/RequestFacade.java @@ -994,4 +994,7 @@ public class RequestFacade implements HttpServletRequest { return null; } + public boolean getAllowTrace() { + return request.getConnector().getAllowTrace(); + } } diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java index acb97d732..cf6a93f71 100644 --- a/java/org/apache/catalina/servlets/DefaultServlet.java +++ b/java/org/apache/catalina/servlets/DefaultServlet.java @@ -56,6 +56,7 @@ import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; import org.apache.catalina.Globals; +import org.apache.catalina.connector.RequestFacade; import org.apache.catalina.util.RequestUtil; import org.apache.catalina.util.ServerInfo; import org.apache.catalina.util.StringManager; @@ -77,8 +78,7 @@ import org.apache.naming.resources.ResourceAttributes; public class DefaultServlet extends HttpServlet { - - + // ----------------------------------------------------- Instance Variables @@ -355,6 +355,49 @@ public class DefaultServlet /** + * Override default implementation to ensure that TRACE is correctly + * handled. + * + * @param req the {@link HttpServletRequest} object that + * contains the request the client made of + * the servlet + * + * @param resp the {@link HttpServletResponse} object that + * contains the response the servlet returns + * to the client + * + * @exception IOException if an input or output error occurs + * while the servlet is handling the + * OPTIONS request + * + * @exception ServletException if the request for the + * OPTIONS cannot be handled + */ + protected void doOptions(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + + StringBuffer allow = new StringBuffer(); + // There is a doGet method + allow.append("GET, HEAD"); + // There is a doPost + allow.append(", POST"); + // There is a doPut + allow.append(", PUT"); + // There is a doDelete + allow.append(", POST"); + // Trace - assume disabled unless we can prove otherwise + if (req instanceof RequestFacade && + ((RequestFacade) req).getAllowTrace()) { + allow.append(", TRACE"); + } + // Always allow options + allow.append(", OPTIONS"); + + resp.setHeader("Allow", allow.toString()); + } + + + /** * Process a POST request for the specified resource. * * @param request The servlet request we are processing -- 2.11.0